[Home] :: [Support] :: [FAQs]

How To Complain About Spam

A Primer for LMi.net Customers

One of the problems with spam is that is it very tempting to Just Hit Delete. While that may get today's spam out of your Inbox, it does nothing in the long run to prevent tomorrow's spam. What you should do is to complain about the spam to the spammer's ISP(s). If the Internet community's anti-spam collective voice is loud enough, it will help the anti-spam cause and put pressure on the spam-supporting ISPs to terminate their spamming customers. This page will hopefully empower you to complain to spammers' ISPs, who might actually terminate their spammers if they get enough complaints.

It is important to complain properly. First you want to make sure that you complain to the right people/ISPs. You also need to word your complaint in the most effective way. Finally, you should add your complaint and the evidence of your spam to the public spam archive. This archive allows the anti-spam community to combine efforts, cross-reference spam run evidence, and to see who the worst spamming offenders are.

You may initially feel a little bit daunted by the steps you need to take to report spam. Just take everything one step at a time. If you get a lot of spam, perhaps start by reporting just a few spams a day. As you get the hang of it you'll notice that you can analyze and report your spam more quickly each time you do it. Make things easy for yourself. If you find yourself typing the same text to the spammers' ISPs, write a boilerplate reply, put it in a text file and then just copy and paste it into the spam complaint. If you are Unix savvy, you can write yourself a shell script that automates some of the processes described below.

Spam can only be stopped by the efforts and outcries of the spam victims. Every time someone adds their voice and energy to the anti-spam community, our collective will becomes more powerful in stopping spammers and spam-supporting ISPs. Together we can make a difference!

1. Make sure that it really is spam

Keep good track of what mailing lists you sign up for. Also, make sure that when purchasing online, you know whether or not you have consented to receive mailings from that company. If you receive some e-mail that you have actually consented to receive, please do not complain about it, and go through the proper opt-out procedure to remove yourself from future mailings.

That said, I think the vast majority of Internet users know when they have received spam. It will be from a company they never heard of, or there will be some bogus, vague excuse in the spam as to how you supposedly opted-in to receive their mailings ("This is not spam because we bought a list of e-mail addresses", "This is not spam because it's legal", etc.), or it will be from the obvious, unapologetic spammers peddling Viagra, phony diplomas, mortgage scams, chain letters, etc. This is not to say that the content alone can identify it as spam (spam is about conSent, not conTent). If you signed up (in the proper confirmed opt-in manner) to receive mailings about Viagra from Company A, then Company A's mailings to you about Viagra are NOT spam.

2. View the full headers of the spam

Once you have positively identified an e-mail as spam, the first thing you should do is to examine the full e-mail headers. When you receive e-mail the full headers are not normally displayed, only the "Date:", "From:", "To:", and "Subject:", which are not enough to reveal the real origin of a message. For instructions on how to display the full headers see this page.

Note that spammers routinely forge many aspects of an e-mail message. Don't trust the "FROM:" address - it's likely bogus. Don't trust the "Reply-To:" address - that is often bogus as well. Don't even trust the "To:" address - yes, this can be forged. And remember: DON'T REPLY TO THE SPAMMER DIRECTLY! Definitely DO NOT try and get yourself removed from their mailing list by following their remove instructions. First of all, it's probably bogus. Many spammers' "remove" schemes are nothing more than their way of validating that your address is valid and read by a human. They will not remove your from their mailing list - instead they will sell your address to another spammer. Another reason not to use their "remove" scheme, even if it did remove you from their mailing list: Why should the burden be on you to remove yourself from a mailing list that you never signed up for in the first place? If you think opt-out is OK, think about this: anyone can add your e-mail address to any number of mailing lists without your consent. Do you really want to spend your time online attempting to remove yourself from these multitudes of lists? Your time will be much better spent removing the spammers from the Internet!

3. Find out where the spam actually came from

Now that you are seeing the full headers, you can begin to investigate the players in this spam. The first thing you should examine is the top "Received:" line. This line shows the IP address (a number containing 4 dots -- for example: 211.35.251.66) of the mail server that sent the spam to your mail server (your mail server is either "lanfill.lmi.net" or "bellpepper.lanminds.net" or "mxrelay.lmi.net").

NOTE: If the "Received:" line shows any one of LMi.net's mail servers sending the mail to another LMi.net mail server, go to the next "Received:" line. We are looking for the mail server outside of the LMi.net network that sent the mail to "bellpepper.lanminds.net" or to "lanfill.lmi.net" or "mxrelay.lmi.net".

Let's look at an example spam header:

The IP address that delivered the e-mail to "lanfill.lmi.net" (in this case 211.35.251.66) is what we are looking for. You might think that the machine belongs to Hotmail, because of the "oe68.law12.hotmail.com". Don't trust the host name, that's easily forgeable. Ignore the host name and only look at the IP address. The sending IP address is difficult to forge, so we can trust that 211.35.251.66 is indeed the IP that sent the spam to "lanfill.lmi.net". I would not trust any "Received:" headers below that one, however, as spammers do forge "Received:" headers (the ones preceding the top "Received:" line cannot always be trusted; and note that "Received:" headers are read from bottom to top).

OK, so we have the IP address of the spam spewing machine. To whom does this machine belong? To the spammer? Probably not. Spammers usually hijack other people's machines to send their spam. This is what's called an "open relay", when a mail server is configured to allow hijacking by spammers. Competent mail server administrators do not allow relaying on their machines for non-customers. So it's likely that this machine is mis-configured.

The IP address could belong to the spammer, though. Some spammers do not make any attempts to hide, they spam from their own IP space.

So the IP address either belongs to the spammer or to a machine that is configured to allow spammers to use it.

Let's find out who owns the IP address. To do this, look up the IP address in the ARIN database. ARIN (the American Registry for Internet Numbers) is the authority that doles out IP addresses to networks. Their IP lookup page is at:

Plug in the IP address into the search text box and hit "Submit". If the IP address belongs to an organization in North America or sub-Saharan Africa it will display the owner of the IP address. Organizations located outside ARIN's geographical area of responsibility should be looked up in their regional registry:

• RIPE (European Registry): http://www.ripe.net/ripencc/pub-services/db/whois/whois.html
• APNIC (Asia Pacific Registry): http://www.apnic.net/apnic-bin/whois2.pl
• LACNIC (Latin America and the Caribbean Registry): http://lacnic.net/cgi-bin/lacnic/whois?lg=EN

To determine in which geographical area a particular country is located, see the List of Countries in Regional Registry Geographical Areas at http://www.arin.net/library/internet_info/countries.html.

4. Complain to the owner of the spam-spewing mail server

Now that you can see who owns the IP address where the spam was sent from, you can send a complaint to them. Locate the contact e-mail address in the IP lookup output. If the address is not "abuse@DOMAIN" or "postmaster@DOMAIN", you should also complain to those addresses as well. Anyone who runs a mail server on the Internet is required to have a working "postmaster@DOMAIN" address, and networking organizations should have an "abuse@DOMAIN" for receiving complaints about their customers' net abuse. This is not to say that all organizations have those e-mail addresses, but if they do not, they can be reported to:

rfc-ignorant.org documents who has chosen not to implement certain protocols described in the RFCs (Internet standardization documents), and provide a means for allowing people to determine for themselves if they wish to communicate with non-compliant systems.

Another way of finding out the appropriate address to complain to is the Network Abuse Clearinghouse:

The Network Abuse Clearinghouse is intended to help the Internet community to report and control network abuse and abusive users. They keep a master database of reporting addresses for users throughout the net to use.

5. Word your complaint appropriately

Without further research, it may be difficult to determine whether the spam came from an open relay (the owner of the machine may not know that their machine has been hijacked by a spammer) or from a properly configured machine that is part of the spammer's ISP. Some spammers send spam directly from their own machine to the recipient's mail server, bypassing their own ISP's mail server entirely (this is called "direct-to-MX" spam). It's best to word your complaint to cover both possibilities.

Be polite in your e-mail. Many Abuse Desk workers on the Internet will respond to your complaint and take the appropriate action (close the open relay / terminate a spamming customer); they do not need vitriol from non-customers to help them do the right thing. Some Abuse Desk workers will immediately delete spam complaints that contain profanity or abusive language. It's more effective in the long run if you are polite to the Abuse Desk, no matter how mad you are about getting the spam.

Here's what you might say in your e-mail:

The rule is to be brief, polite, and to explain exactly why you are contacting the recipient about this spam. Make sure to include the spam WITH THE FULL HEADERS in the complaint mail. Spam without the full headers cannot be investigated by the ISP and might be discarded without notice to you.

It's also a good idea to summarize your complaint in the Subject line. When you normally forward an e-mail the Subject line remains the same, but adds "FWD:" at the beginning of the subject line. You don't want the Subject line to be the same one that the spammer used. It's so much more helpful for the receiving ISP to instead get an e-mail with a subject line like "Spam from your IP address 211.35.251.66". Don't just put "spam" or some other generic Subject line. Be as clear and precise as you can with your Subject lines. It really makes a difference to people who get a lot of e-mail. And since some spammers are so stupid that they actually spam "abuse@DOMAIN", this will help the Abuse Desk separate their own incoming spam from spam complaints.

6. Look for a reply to your complaint

Many ISPs, especially large ISPs, will send an automatic reply to any mail sent to "abuse@THEIRDOMAIN". This called an "auto-ack". It may contain information about that ISP's Acceptable Use Policy (AUP), it may contain a tracking number, or it may be just a brief generic message saying "we got your e-mail". There may also be a subsequent reply following up about that specific spam incident. Some ISPs are very vague about what action they took, if any. Sometimes they'll just say "we took appropriate action per our AUP". This could mean anything, but mostly it means they have a lawyer looking over their shoulder and they are reluctant to tell you if they actually did anything about their spamming customer. Other ISPs will tell you straight out "we nuked that spamming idiot", or some might say "spamming does not violate our AUP" or "we're going to give the customer another chance before we kick them off our network". Every ISP has their own policy about spam and the consequences of spamming by their customers. That's not to say that it's OK for any ISP to allow their customers to spam -- the spam-friendly ISPs that allow the spam to continue from their networks will be identified and eventually widely blocked -- but it's all part of a comprehensive campaign by anti-spammers to educate ISPs and network owners about appropriate policies and the importance of policy enforcement.

It's a good idea to archive all replies you get from your spam complaints. Between your incoming spam, your outgoing complaints, and the replies you receive after complaining, you are building a spam evidence archive. These documents may prove very useful for tracking spammers over the long run and for assisting network administrators in documenting spamming or abusive customers.

If you have documented evidence that you have complained to the appropriate people about spam you have received and the spam continues to flow from that very same netblock/IP address, you now have evidence that the owner of the netblock/IP address is either actively supporting their spamming customers, ignoring complaints, or does not have the staff to handle the complaint load. No matter what the case is, if the spam continues, that network needs to be shunned through block listing. If you post your spam to a public archive (more on that below) the block list administrators will have more evidence for their block lists, and it will bolster their case for listing a spam-supporting ISP.

7. See if the spammer's Web site is alive

Complaining the owner of the spam-spewing mail server is one important step in the process. The problem is that most spammers have umpteen zillion techniques to hijack a mail server and then move on to the next one, or they use "throw-away" dial-up accounts to send their spam. This makes the spammer a moving target and more difficult for network administrators to nail. But if the spammer advertises a Web site in their spam, that is an easier target. Many ISPs have a clause in their Acceptable Use Policy (AUP) that says that customers may not advertise Web sites hosted on their network via spam (another word for this is "spamvertising"). If enough complaints come in to the spammer's Web hosting ISP, they might terminate the Web site. Then the spammer has to set up shop at another ISP. This makes spam more costly and more of a hassle for the spammer, and that's a good thing.

Many spammers send their spam not in plain text, but in HTML code. HTML code is meant for Web browsers to interpret and was not designed for the e-mail system. However, many modern e-mail applications have the ability to interpret HTML code. If your e-mail application does this, it has the effect concealing the spammer's Web site address (called a "URL") from you. They might have hyperlinked the URL to some text in the spam and instruct you to click on the text to be directed to their Web site. Don't do it! It just garners Web site hits for the spammer. It also helps spammers track how successful their spam run was. Some spammers use HTML code that even specifies your e-mail address, so they can tell that *you* responded to their spam if you click on the link.

If you are not seeing the raw HTML source code in the spam, you need to display it so you can find out what the spammer's Web site address is without actually going to the Web site. Instructions on how to display raw HTML source code in your e-mail application are here:

http://spamcop.net/fom-serve/cache/19.html

Once you can see the underlying HTML source code you can find out what the actual Web site URL is. Look for the characters "http://" and the text that immediately follows it (usually something like "www.spammersite.com"). Once you have the Web site address, you should do two things: First, you might want to "ping" the site to see if it is still alive. It is possible that the ISP has already taken the site down. To ping the site, go to

http://www.lmi.net/support/netdiag.php

and scroll to the "Network Connectivity Tools/Machine and Host info" section. Choose "ping" for the action, paste in the Web site address, and click on the "submit query" button. [NOTE: do not paste in the "http://" part of the address, just the "www.spammersite.com" part of the address.] If the site is up and running your will see results like this:

"0% packet loss" (or something pretty close to that) means that the site is up and running. So know you know that the spammer's site is alive and well.

You could also just visit the Web site using your browser. It's really your choice. Sometimes visiting the Web site of the spammer can give you more information on them. Sometimes the ISP has terminated the customer but kept the site alive so that they can display a message such as "we have terminated this customer for violating our AUP". If you do decide to visit the site and the original URL contains your e-mail address, such as "http://www.spammersite.com/tracking.cgi?=you@yourisp.net", just take that part out of the URL and paste only "http://www.spammersite.com" into the browser destination text box. This will allow you to see the spammer's Web site without them knowing that it was you that visited and prevents confirming to the spammer the so-called success of their spam run.

8. Find out who hosts the spammer's Web site

To find out which ISP hosts the Web site, first find out the IP address of the Web site. Some spammers actually use the IP address instead of a host name in their Web site URL (example: "http://61.129.81.61"). This means that you do not have to look up the IP address. But if the spammer's site uses a host name (example: "http://www.spammersite.com"), you'll need to look up its IP address. Again, go to

http://www.lmi.net/support/netdiag.php

and scroll to the "Network Connectivity Tools/Machine and Host info" section. This time choose "DNS Lookup" for the action, paste in the Web site address, and click on the "submit query" button. [NOTE: do not paste in the "http://" part of the address, just the "www.spammersite.com" part of the address.] You will see results like this:

If you also get a line that says something like "Aliases: alias.spammersite.com" just ignore that part. The important part of the result is the IP address of the Web site.

Now that you know the spammer's Web site IP address, you can find out who owns the IP address. See the instructions in the "3. Find out where the spam actually came from" section above that begins with "Let's find out who owns the IP address." However, instead of sending to "postmaster@DOMAIN" you should instead write to "hostmaster@DOMAIN". Postmasters administrate mail servers; hostmasters administrate Web servers, so "hostmaster@DOMAIN" is more appropriate for contacting the spammer's Web site administrator. Again, not all network organizations have a "hostmaster@DOMAIN" address, but it's certainly worth a try to send to that address.

9. Post your spam to a public archive

It's helpful the anti-spam cause to post and share spam run evidence. That way everyone can see who the most prolific and egregious spammers are and build a case against the spammers to present to their ISP(s). The best place to post your spam is on the Usenet newsgroup "news.admin.net-abuse.sightings".

Usenet is like a huge electronic bulletin board where people can discuss every topic under the sun. You can read and post messages for the world to see on Usenet. If you are not familiar with Usenet, you should read the FAQ at http://www.faqs.org/usenet/. You will need a software program called a "newsreader" to post to Usenet.

The most important points for people new to Usenet are:

1. Lurk before you post. This means that you should read the posts for a while before posting yourself, so that you can understand the policies, appropriate topics and posting styles before you barge into the newsgroup. If you post to a newsgroup without lurking, you are almost sure to make some netiquette faux pas, and you might be berated by the longtime posters who frequent that newsgroup.
   
2. Read the FAQ. There is a "Frequently Asked Questions" file for most newsgroups (see http://www.faqs.org/). FAQs serve as an introduction to the newsgroup, and will likely answer the questions you have about the group so that you do not have to bring up beginner questions to the seasoned posters.
   

The "news.admin.net-abuse.sightings" newsgroup is not a discussion group like most newsgroups are. It is only for posting spam (both Usenet spam and e-mail spam). To post an e-mail spam:

• Configure your newsreader to "munge" your e-mail address to prevent it from being harvested by spammers. For more information on munging your e-mail address see http://members.aol.com/emailfaq/mungfaq.html.
• Your Subject line should be "[email] <The subject line of the spam goes here>"
• In the body of the message, post your spam WITH FULL HEADERS. Spam without full headers is totally useless as evidence.
• You might want to munge your own e-mail address from the spam. Don't give the spammers a chance to harvest your address! Popular forms of munging an address posted on "news.admin.net-abuse.sightings" are "xxxxx@xxx.xxx" or simply replacing your address with "[]".
• Don't munge anything other than your own address and/or your own mail server hostname/IP address. You want to protect your own e-mail address and anonymity, but if you gut the headers too much it's not useful as evidence.
• It's helpful if you put a statement in the body of the message, before the spam itself, stating that you complained to the spammers's ISP(s). Just a brief "Complaints went to abuse@SPAMMER'S_ISP" or some such thing is all that's necessary. If a spammer's ISP later says "but we never received any complaints" this public archive will show that that is not the case.
  

10. Enjoy a cup of your favorite beverage for a job well done.

For the coffee connoisseur, we recommend Peet's Coffee.

By following the steps above you are most definitely contributing to the anti-spam cause! These steps may not reduce your personal spam load right away, but rest assured, they are absolutely effective in adding to the pressure on ISPs to be anti-spam. You never know, one of your complaints might trigger the termination of a spammer's account from their ISP. It is the collective individual efforts of all anti-spam folks that will ultimately spell the end of spam.

WANT TO LEARN MORE?

These links are a great start for learning about spam fighting:

• http://spam.abuse.net
• http://mail-abuse.org
• http://www.spamfaq.net
• http://www.cauce.org
• http://www.spews.org